As the site mentions, the PHP vulnerabilities are with specific libraries (Guzzle 4+ and Artax are mentioned), not the curl library that comes with PHP that most sites are probably using. PHP’s curl library requires explicit setup to use a proxy by setting CURLOPT_PROXY.

I believe the biggest problem is thinking that configuration and interprocess communication were somehow related since they both are a “bag of properties”. I mitigate this in my own designs by using lower-case environment variables for my own configuration – it “looks weird” to people, and occasionally I see other programmers send me patches that “fix” the case of my variables, but then I point out that my implementation of http_proxy was always immune to this attack, back in the 1990s.